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EntitlementlDs: 

<entitiementlD lD= tt E1" V="doctors+nurses7> 
<entitlementlD ID- M E2 n V="lab techs7> 

XML text: 

<A entitlement="Er> 
<B> ... </B> 
<C entitlement="E2"> 
<D> ... </D> 

</C> 

</A> 
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System and Method for Managing Objects and Resources with 
Access Rights Embedded in Nodes Within a Hierarchical Tree 

Structure 

The present application claims benefit of U.S. Provisional Application No. 
5 60/279,04 1 , filed March 27, 200 1 , which is incorporated herein by reference. 

Field of the Invention 

The present invention provides a system and method for managing objects and 
resources with access rights embedded in nodes within a hierarchical tree structure. 
The system is suitable for implementation of HL7-approved XML standards for 
1 0 medical records and/or messages. 
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Background nf the Invention 

Controlling the access of a large number of users to a vast array of data 
represents one of the greatest challenges facing the future of the Internet. One 
example of an immense access control undertaking that will exceed the capabilities of 
1 5 current access control systems relates to the provisions of the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA). 

HIPAA will be implemented in accordance with a Rule (Federal Register / 
Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations p. 82462, 
45 CFR Parts 160 and 164, Rin: 0991-AB08, Standards for Privacy of Individually 
20 Identifiable Health Information) promulgated by the Department of Health and 

Human Services (HHS) in an effort to achieve the adoption of industry standards for 
the electronic transmission of health information. In short, HIPAA requires that all 
patient information transfers between organizations be in a standardized form and that 
standards of privacy be maintained. Health Level 7 (HL7) is an organization that 
25 creates the standards for storage and interchange of medical records encompassed by 
HIPAA. Standardization complications include the fact that there are currently about 
400 formats for electronic health care claims processing in use nationwide. Further, 
the need to manage this information will require finely granular (down to the per field 
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level) access to a massively scaled number of records. This access must obey the 
mandated confidentiality and respect specific patient confidentiality requests. 

HL7 has chosen the extensible Markup Language (XML) as the basis for 
structuring medical records for storage and messaging. This language organizes data 
5 as a tree structure documents. XML is standardized by W3C, 

(http://www.w3.org/TR/REC-xml ). W3C is an international industry consortium 
responsible for developing common code standards for the World Wide Web. 

Applications storing or transferring medical records will require access control 
mechanisms to assure that HIPAA requirements are met. It is an object of the present 

1 0 invention to supply this need. 

U.S. Patent No. 6,061,684, "Method and system for controlling user access to 
a resource in a networked computing environment," assigned to Microsoft 
Corporation (Redmond, WA), describes a unified and straightforward approach to 
managing file and other resource security in a networked computing environment. 
1 5 The invention can be implemented in a multi-user computer network that includes a 
client computer, a server computer that controls a resource sharable among users of 
the network, such as a shared file folder or directory, and a communications pathway 
between the client computer and the server computer. The resource is organized as a 
hierarchy of elements with a root element at the top of the hierarchy and additional 
20 elements below the root element. According to the invention, a request is received to 
change a protection, such as an access permission, of an element of the resource 
hierarchy (other than the root) with respect to a particular network user. If the element 
in question lacks an associated access control list, a nearest ancestor element of the 
hierarchy is located that has an associated access control list. The first (descendant) 
25 element inherits the access control list of the second (ancestor) element. This 
inheritance is done by generating a copy of the access control list of the second 
element and associating the generated copy with the first element. The requested 
change in protection is then incorporated into the generated copy that has been 
associated with the first element so as to establish an updated access control list for 
30 the first element. Further, the requested change can be propagated downwards in the 
hierarchy from the first element to its descendants having access control lists. 
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U.S. Patent No. 6,038,563, "System and method for restricting database access 
to managed object information using a permissions table that specifies access rights 
corresponding to user access rights to the managed objects," assigned to Sun 
Microsystems, Inc. (Palo Alto, CA), describes an access control database that 
5 specifies access rights by users to specified sets of the managed objects. The specified 
access rights include access rights to obtain management information from the 
network. An access control server provides users access to the managed objects in 
accordance with the access rights specified by the access control database. An 
information transfer mechanism sends management information from the network to a 
10 database management system (DBMS) for storage in a set of database tables. Each 
database table stores management information for a corresponding class of managed 
objects. An access control procedure limits access to the management information 
stored in the database tables using at least one permissions table. A permissions table 
defines a subset of rows in the database tables that are accessible to at least one of the 
15 users. The set of database table rows that are accessible corresponds to the managed 
object access rights specified by the access control database. A user access request to 
access management information in the database is intercepted, and the access control 
procedure is invoked when the user access request is a select statement. The database 
access engine accesses information in the set of database tables using the permissions 
20 tables such that each user is allowed access only to management information in the set 
of database tables that the user would be allowed by the access control database to 
access. 

U.S. Patent No. 5,878,415, "Controlling access to objects in a hierarchical 
database » assigned to Novell, Inc. (Provo, UT), describes methods and systems for 

25 controlling access to objects in a hierarchical database. The database may include a 
directory services repository, and/or synchronized partitions. An access constraint 
propagator reads an access control property of an ancestor of a target object. The 
access control property designates an inheritable access constraint such as an object 
class filter or an "inheritable" flag. The object class filter restricts a grant of rights to 

30 objects of an identified class. The "inheritable" flag allows inheritance of an access 
constraint on a specific object property. The propagator enforces the inheritable 
access constraint by applying it to at least the target object. 
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Summary of the Invention 

In one aspect, the present invention comprises a system for managing objects 
and resources with access rights embedded in nodes within a hierarchical tree- 
structure. The system includes a host, housing a Web server, a database server, an 
5 entitlement server, and a transaction server; a network, such as the Internet or an 
intranet; and one or more client PCs. 

In another aspect, the present invention comprises a method of inputting a 
transaction in XML form for use in the determination and granting of access rights 
embedded in nodes within a hierarchical tree structure. The method includes 
10 receiving transaction data from the external system; parsing and validating the XML; 
determining whether the received data is valid; adding access data to the entitlement 
server and text content to the database server; determining whether an error occurred; 
sending an error message to the external system; and sending a confirmation message 
to the external system. 

15 In yet another aspect, the present invention comprises a method of interacting 

with a host system into which an XML document has been accepted. The method 
includes identifying the user accessing the host using a client PC; receiving a request; 
determining whether an access check is needed; determining whether permission 
should be granted; performing the request; replying to the user; and handling the 

20 denial of the request. 

One advantage of the present invention is that it provides a way to protect 

objects described by a tree structure. 

A second advantage of the present invention is that it provides a way to protect 
objects with as much granularity as the tree structure permits. 
25 A third advantage of the present invention is that it provides a way to protect 

objects with as much granularity as the set of users permits. 

A fourth advantage of the present invention is that the entitlement IDs (or 
expressions or objects) can be defined in a diverse ways, allowing for a wide variety 
of applications. 

30 A fifth advantage of the present invention is that the entitlement IDs may be 

collected separately, meaning that they do not need to be sprinkled throughout the 
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code structure. They can be cached before the XML is parsed, leading to improved 
system speed and efficiency. 

A sixth advantage of the present invention is that may be packaged either as a 
separate XML document or as a separate part of the document containing the objects 
5 to protect. 

Brief Descri ption nf the Drawing 

The invention is described with reference to the several figures of the drawing, 

in which, 

Figure 1 shows a system for managing objects and resources in a hierarchy 
10 with access rights embedded in nodes; 

Figure 2 is a flow chart illustrating a method of inputting a transaction in 

XML form; 

Figure 3 is a flow chart illustrating a method of interacting with a host system 
into which the XML document has been accepted; and 
15 Figure 4 illustrates the used of XML to manage objects and resources in a 

hierarchy with access rights embedded in some nodes. 

Detailed Description 
Figure 1 illustrates a system for managing objects and resources in a hierarchy 
with access rights embedded in nodes. System 100 includes a host 10S, comprising a 
20 Web server 110, a database server 120, an entitlement server 130, and a transaction 
server 140, which are all interconnected within host 105. Host 105 can be either a 
single computer, or a series of computers operating in concert. System 100 also 
includes connections to a network 150 (such as the Internet or an intranet), through 
which an external system 160, and one or more client PCs 170 connect with host 105. 
25 In some embodiments of the invention, external system 160 and client PCs 

170 use network 150 to communicate with host 105 for the purposes of generating 
and receiving documents programmed in XML. In other embodiments, client PCs 
170 need never actually create or access XML directly. Instead, web server 110 
invokes transaction server 140 to request text from an XML document, and then 
30 transforms the text into HTML to send back to the client PC 170. 
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Typically, client PC 170 is a personal computer. External system 160 may be 
a peer to host 105 or a host-type system of wholly separate elements; however, 
external system 160 must contain an application capable of generating and translating 
XML. Host 105 represents a network-connected host environment consisting of one 
5 or more servers. Web server 110, which may be a single server or multiple servers 
operating in a cluster, executes the functions associated with serving World Wide 
Web pages. Database server 120 stores the actual content of the XML transactions 
and is called upon by other elements of host 105 for such content. The internal form 
of the content need not be XML as long as the tree structuring information is 
10 preserved. Entitlement server 130 operates as one type of a database server dedicated 
to hosting and adjudicating access control for applications served by host 105. The 
functionality of one suitable entitlement server 130 is fully described in U.S. Patent 
6,154,741 to Feldman, which is assigned to EntitleNet, Inc., and incorporated herein 
by reference. Transaction server 140 functions as the XML interpreter, and houses 
15 various software applications for that purpose, including those that pass portions of 
submitted XML documents to entitlement server 130 and database server 120 for 
storage. Transaction server 140 also receives transaction results from entitlement 
server 130 and database server 120 and responds accordingly to the transaction's 
requestor. In addition, transaction server 140 governs the retrieval of requested 

20 portions of XML documents. 

Figure 2 is a flowchart illustrating a method of inputting a transaction in XML 
form. Entitlement information within the XML affects the exchange with respect to 
the way permission to access information is granted. Method 200 includes the 
following steps: 

25 Step 210: Receiving transaction data 

In this step, transaction server 140 receives an XML document with associated 
transaction data generated by external system 160. External system 160 sends this 
XML document to transaction server 140 via network 150. 

Step 220: Parsing and validating XML 
30 In this step, transaction server 140 parses the received XML document to 

check for validity using software applications and techniques well known in the art. 
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Step 230: Are the data valid? 

In this decision step, transaction server 140 determines whether the XML 
document is valid. If yes, process 200 proceeds to step 240; if no, process 200 
proceeds to step 260. 

5 Step 240: Adding access data to entitlement server and text content to database server 
In this step, transaction server 140 translates the information parsed in step 
220 into the appropriate internal form and stores it on entitlement server 130 and 
database server 120. In particular, access information is added to entitlement server 
130, and the text information is saved to database server 120. In addition, some 

10 tracking information is added to database server 120 to track the processing 
performed. 

Step 250: Did an error occur? 

In this decision step, transaction server 140 checks to see if any errors 
occurred thus far. If yes, process 200 proceeds to step 260; if no, process 200 
15 proceeds to step 270. 

Step 260: Sending error message 

In this step, transaction server 140 sends an error message back to the 
originating external system 160 via network 150, and processing ends. 



20 



Step 270: Sending confirmation message 

In this step, transaction server 140 sends a confirmation message back to 
ginating external system 160 via network 150, and processing ends. 
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Figure 3 is a flowchart illustrating a method of interacting with a host system 
into which the XML document has been accepted. While Figure 2 covered the 
programmatic interface with host 105 using external system 160, Figure 3 instead 
25 covers the interaction of client PCs 170 with host 105. Method 300 includes the 
following steps: 
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Step 310: Authenticating user 

In this step, Web server 110 authenticates users on client PC 170 talking to 
host 105 using network 150 and applications known in the art, such as using a secure 
socket layer interchange. 

5 Step 320: Receiving request 

In this step, Web server 110 receives a request for information from a user 
using Web-browsing software installed on client PC 170. 

Step 330: Is an access check needed? 

In this decision step, Web server 110 determines whether the information 
10 request requires an access control check. If yes, process 300 proceeds to step 340; if 
no, process 300 proceeds to step 380. 

Step 340: Is permission granted? 

In this decision step, entitlement server 130 determines whether to grant 
access based on user identification obtained in step 310 and the access check 
15 performed in step 330. If yes, process 300 proceeds to step 350; if no, process 300 
proceeds to step 370. 

Step 350: Performing request 

In this step, entitlement server 130 performs the request received from Web 
server 110. The performance of this request (or adjudication) is fully described in U.S. 
20 Patent 6,1 54,741 assigned to EntitleNet, Inc. 

Step 360: Replying to user 

In this step, Web server 110 sends a reply to the request for information 
originating from client PC 170 via network 150, and processing ends. 
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Step 370: Handling denial 

In this step, Web server 110 handles the denial of access to information (i.e., 
the user on client PC 170 is not allowed to receive the information requested) by 
communicating with client PC 170 via network 150, and processing ends. 
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Figure 4 illustrates the use of XML to manage objects and resources in a 
hierarchy with access rights embedded in some nodes. An entitlement^ element 
creates a BMAP object with a name given by the ID attribute and entitles it with the 
entitlement expression given by the V attribute. (The names are arbitrary and chosen 
5 for the purposes of exposition.) An arbitrary number of these may be defined to yield 

any desired granularity. 

An entitlement attribute within an element specifies the entitlementlD 
governing the element. Entitlements are enforced in a tree-oriented manner with lower 
or enclosed elements of the tree governed by the enclosing nodes. An exception to 
10 this is that an entitlement attribute on an element supercedes the entitlement of higher 
nodes. This presents two constructs which, when used in concert, allow the 
specification of the control of access to portions of an XML data structure. 

Other embodiments of the invention will be apparent to those skilled in the art 
from a consideration of the specification or practice of the invention disclosed herein. 
15 It is intended that the specification and examples be considered as exemplary only, 
with the true scope and spirit of the invention being indicated by the following claims. 
What is claimed is: 
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, ,. A^odofcon.-oningaccess.oahie.archioanyorg^coUeo.ionofda.a 

2 elements, comprising: a „ nt > etnr 
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dements of to data element to determine an entitlement ata.ua for to 
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element, 

consuMnganen.Man.eotrD.ode.armina^enmiomea.groupcorrespond.ng 

to the entitlement status; 
consulting a membership map to determine whether a aetected 

member of the entitlement group, wherein to membershtp map 

comprises a matrix of users and group memberships; and 
allowingtousertoaccesatodauaelementonlyiftouserisamemberofto 

12 entitlement group. 

The method of claim 1 , wherein to memberchip map is stored as a hi. map. 
The metod of claim 1, wherein to entitlement status in to da* element or 
ancestor element is an entitlement expression. 

The method of claim 1, wherein to hierarchically organized collection of data 
elements is an XML document. 

18 5 . Themetodofclaim^whereintoXMLdocumentcomplieswithto 

19 H1PAA standard. 

20 6 Theme,hodofc 1 a i m.,f U rmerco m prismgcachmgenti.lemen.group 

" aeflni.ionsfortohierarchicanyorganiaedconect.onofda.elemen.pnorlo 

22 consulting the membership map. 

Metod of describing access restrictions on individua! element of a document 
having a hierarchical structure, comprising: 

placing entitlementlD'sinoneormoreelementsofthedocument sa.d 
enUtlementm'srefernngtoentitlementexpressionsdescnbin^ 
of users allowed to access the elements, where the entitlement ID 
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x applicable to an element is the ID placed in the element or in the first 

2 ancestor of the element having an entitlement ID. 

3 g. The method of claim 7, wherein the document is an XML document. 

4 9 . The method of claim 8, wherein the entitlement ID's are variable settings on 

5 XML tags. 

6 10. The method of claim 8, wherein the XML document complies with HIPAA 

7 standards. 

8 11. The method of claim 7, wherein the document comprises a table of entitlement 

9 ID's and corresponding entitlement expressions. 

10 12. A method of providing a document having access restrictions described 

1 1 according to the method of claim 7, comprising: 

12 consulting the entitlement ID's and comparing them with entitlement groups 

13 of the user; and 

14 serving to the user those portions of the document which the user is authorize. 

15 to receive. 

16 13- The method of claim 12, wherein user authorizations are stored in a 

17 membership map. 

18 14. The method of claim 13, wherein the membership map is a bit map. 

19 15. The method of claim 12, further comprising caching entitlement expressions 

20 in the document prior to serving to the user. 

21 16. A system for providing information to users selectively according to 

22 predetermined access rights, the system comprising: 

23 a database of records, the records being hierarchically organized into elemer 

24 a t least some the elements comprising access rights information; 

25 an entitlement server comprising a membership map describing user 

26 membership in access groups; and 
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! a transaction server that consults the database and the entitlement server and 

2 serves information to users in response to requests only if users are 

3 allowed to access the information. 

4 17. The system of claim 16, wherein the records are XML documents. 

5 18. The system of claim 17, wherein the XML documents comply with HIPAA 

6 standards. 

7 19. The system of claim 16, wherein access rights to an element are controlled by 
g access rights information embedded therein if such access rights information 

9 exists, and by access rights information embedded in the first ancestor element 

10 having such access rights information if the element does not comprise 

1 1 embedded access rights information. 

12 20. The system of claim 16, wherein the access rights information is an 

13 entitlement expression. 

The system of claim 16, wherein the membership map is a bit map. 

The system of claim 16, wherein the transaction server serves an XML 
document comprising only elements for which the user has access rights. 

The system of claim 16, wherein the transaction server uses an XML 
document having access rights information embedded therein to build an 
HTML document comprising only element for which the user has access 
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20 rights, and serves the HTML document to the user. 
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EntitlementlDs: 

<entitIementlD ID="E1" V="doctors + nurses"/> 
<entitlementlD ID="E2" V="lab techs'V> 

XML text: 

<A entitlement= n E1"> 

<B> ... </B> 

<C entitlement="E2"> 

<D> ... </D> 

</C> 

</A> 
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